PAM Integration: Difference between revisions

From Yocto Project
Jump to navigationJump to search
 
(158 intermediate revisions by 3 users not shown)
Line 1: Line 1:
== Motivation ==
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.  
For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.  


==== Recipes with PAM support ====
== Build image ==
If you want to enable pam support, please add "pam" to DISTRO_FEATURES by add one line to build/conf/local.conf
  DISTRO_FEATURES_append += " pam"


The following recipes were identified to have PAM support (some already implemented) on 2011-06-27:
Then add the packages to sato by apply this patch
  diff --git a/meta/recipes-sato/tasks/task-core-x11-sato.bb b/meta/recipes-sato/tasks/task-core-x11-sato.bb
  index 43b24d2..ea9fa14 100644
  --- a/meta/recipes-sato/tasks/task-core-x11-sato.bb
  +++ b/meta/recipes-sato/tasks/task-core-x11-sato.bb
  @@ -31,4 +31,11 @@ RDEPENDS_task-core-x11-sato = "\
      gtk-sato-engine \
      gthumb \
      x11vnc \
  -   ${NETWORK_MANAGER}"
  +    ${NETWORK_MANAGER} \
  +      \
  +      at \
  +      cronie \
  +      cups \
  +      polkit \
  +      screen \
  +      shadow \
  +      sudo "


* at
openssh is conflict with dropbear. If you want to test openssh please uninstall dropbear first and then install openssh.
** enable pam option, it can pass compiling.  
 
diff --git a/meta/recipes-extended/at/at-3.1.12/configure-add-enable-pam.patch b/meta/recipes-extended/at/at-3.1.12/configure-add-enable-pam.patch
Then you can build the core-image-sato and test these packages on the sato image.
new file mode 100644
 
index 0000000..f5efb1b
== Log files ==
--- /dev/null
We can test the packages both on core-image-sato and core-image-lsb
+++ b/meta/recipes-extended/at/at-3.1.12/configure-add-enable-pam.patch
* on sato, edit the /etc/syslog.conf, set
@@ -0,0 +1,23 @@
  DESTINATION="file"   
+--- at-3.1.12/configure.ac 2011-06-23 14:51:03.653572945 +0800
then you can check the log via /var/log/message
++++ at-3.1.12/configure.ac.new 2011-06-27 16:12:14.903572945 +0800
* on lsb, the log information are send to /var/log/auth.log
+@@ -81,10 +81,18 @@
 
+ AC_FUNC_VPRINTF
== Common configure files ==
+ AC_FUNC_GETLOADAVG
For convenience, list common configure files here:
+ AC_CHECK_FUNCS(getcwd mktime strftime setreuid setresuid sigaction waitpid)
 
++
common-auth
++AC_ARG_WITH([pam],
  auth [success=1 default=ignore] pam_unix.so nullok_secure
++ [AS_HELP_STRING([--without-pam], [without PAM support])])
  auth requisite pam_deny.so
++
  auth required pam_permit.so
++if test "x$with_pam" != xno; then
 
+ AC_CHECK_HEADERS(security/pam_appl.h, [
common-account
+   PAMLIB="-lpam"
  account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
+AC_DEFINE(HAVE_PAM, 1, [Define to 1 for PAM support])
  account requisite                      pam_deny.so
+-])
  account required                        pam_permit.so
++ AC_DEFINE(HAVE_PAM, 1, [Define to 1 for PAM support])],
 
++  [if test "x$with_pam" = xyes; then
common-password
++  AC_MSG_ERROR([PAM selected but security/pam_misc.h not found])
  password        [success=1 default=ignore]      pam_unix.so obscure sha512
++   fi])
  password        requisite                      pam_deny.so
++fi
  password        required                        pam_permit.so
+
 
+ dnl Checking for programs
common-session
+
  session [default=1]                    pam_permit.so
diff --git a/meta/recipes-extended/at/at_3.1.12.bb b/meta/recipes-extended/at/at_3.1.12.bb
  session requisite                      pam_deny.so
index 3a94497..25ebf50 100644
  session required                        pam_permit.so
--- a/meta/recipes-extended/at/at_3.1.12.bb
  session required                        pam_unix.so
+++ b/meta/recipes-extended/at/at_3.1.12.bb
 
@@ -4,10 +4,11 @@ the system load levels drop to a particular level."
common-session-noninteractive
  SECTION = "base"
  session [default=1]                    pam_permit.so
  LICENSE="GPLv2+"
  session requisite                      pam_deny.so
  LIC_FILES_CHKSUM = "file://COPYING;md5=4325afd396febcb659c36b49533135d4"
  session required                        pam_permit.so
-DEPENDS = "flex libpam initscripts"
  session required                        pam_unix.so
+DEPENDS = "flex libpam initscripts \
 
+ ${@base_contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
== Recipes with PAM support ==
  RCONFLICTS_${PN} = "atd"
The following recipes are identified to have PAM support:
  RREPLACES_${PN} = "atd"
 
-PR = "r4"
=== at ===
+PR = "r5"
* Simple ways to verify 'at':
$ at now
$ echo "$msg_to_print" >> /tmp/at_test
$ < ctrl+D >
$ cat /tmp/at_test    # Verify if the message has been there
 
* /etc/pam.d/atd - not installed by default, copy it from source code and replace '@include' with appropriate 'module-type include':
 
auth      required    pam_env.so
auth      include    common-auth
account    include    common-account
session    include    common-session-noninteractive
session    required    pam_limits.so
 
* test pam plugins
** pam_env.so
modify /etc/pam.d/atd
auth      required    pam_env.so    debug
modify /etc/security/pam_env.conf, add a test entry such as:
MYNAME          DEFAULT="test-at"
 
log in /var/log/auth.log:
Jul 11 08:41:22 qemux86 atd[678]: pam_env(atd:setcred): pam_putenv("MYNAME=test-at")
 
** pam_limits.so
add line to /etc/security/limits.conf
root    -       nofile  3
'at' job failed, log in /var/log/auth.log:
Jul 11 08:49:42 qemux86 atd[699]: pam_env(atd:setcred): Unable to open config file: /etc/security/pam_env.conf: Too many open files
 
modify the line:
root    -      nofile  4
'at' job successed, log in /var/log/auth.log:
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session opened for user root by (uid=0)                     
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session closed for user root
 
=== cronie ===
* /etc/pam.d/crond:
account    required  pam_access.so
account    include    common-password
session    required  pam_loginuid.so
session    include    common-session-noninteractive
auth      include    common-auth
 
* test commands:
crontab -e    # establish a crontab jobs and check if it works
crontab -l    # list crontab jobs for current user
 
* test pam plugins
Verified, test ways and the logs/results please refer to other packages:
** pam_env.so
** pam_access.so
** pam_unix.so
** pam_permit.so
** pam_deny.so
 
** pam_loginuid.so
TBD
 
=== cups ===
* /etc/pam.d/cups
auth     required pam_unix.so shadow nodelay
account    required pam_unix.so
 
* Modify /etc/cups/cupsd.conf:
...
- Listen localhost:631
+ Port 631
...
# Restrict access to the server...                             
<Location />                                                   
  Order allow,deny                                             
+ allow all                                                     
</Location>
...
# Restrict access to the admin pages...                         
<Location /admin>                                               
  Order allow,deny                                             
+ allow all                                                     
</Location>
...
 
* Test pam plugins
** pam_unix.so
Add debug option to '/etc/pam/cups':
auth     required pam_unix.so shadow nodelay debug
account    required pam_unix.so debug
 
Access the cups configure page via web browser:
http://<qemu.ip>:631
Click 'Administration' -> 'Add Printer', start the pop-window for user authentication, input correct user and password:
user: root
pwd: <correct password>
 
Entry the 'Add Printer' configure page successed.
 
Input error password:
user: root
pwd: <error password>
 
Check log in '/var/log/cups/error_log':
E [14/Jul/2011:02:41:26 +0800] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!
 
Modify '/etc/shadow':
-root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7:::
+root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7::1:
 
Repeat the user authentication steps, check log in '/var/log/cups/error_log':
E [14/Jul/2011:03:05:00 +0800] cupsdAuthorize: pam_acct_mgmt() returned 13 (User account has expired)!
 
=== dropbear ===
* For supporting pam in dropbear, we need two steps:
* Add configuration "--enable-pam"
* Add patches to open macro definition for supporting in option.h
--- a/ptions.2011-07-12 11:32:34.165333202 +0800
+++ b/options.h.new     2011-07-12 11:33:25.757332986 +0800
@@ -149,9 +149,9 @@
  * but there's an interface via a PAM module - don't bother using it otherwise.
  * You can't enable both PASSWORD and PAM. */
-#define ENABLE_SVR_PASSWORD_AUTH
+//#define ENABLE_SVR_PASSWORD_AUTH
  /* PAM requires ./configure --enable-pam */
-/*#define ENABLE_SVR_PAM_AUTH*/
+#define ENABLE_SVR_PAM_AUTH
  #define ENABLE_SVR_PUBKEY_AUTH
  /* Wether to ake public key options in authorized_keys file into account */
 
* Test result(dropbear only support simple authentication, account and auth)
** '''Server(account)'''
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
  #%PAM-1.0
account  required    pam_access.so
$vi /etc/security/access.conf
- : root : ALL
 
** '''Client'''
$ssh username@server-ip
(Disallow access)
 
** '''log information'''
Jul 14 07:01:48 qemux86 dropbear[407]: pam_access(sshd:account): access denied for user `root' from `ssh'
Jul 14 07:01:48 qemux86 dropbear[407]: pam_acct_mgmt() failed, rc=6, Permission denied
Jul 14 07:01:48 qemux86 dropbear[407]: bad PAM password attempt for 'root' from 192.168.7.1:33633
 
** '''Server(auth)'''
$vi /etc/pam.d/sshd
   auth include common-auth
$vi /etc/pam.d/common-auth
  #auth  [success=1 default=ignore]      pam_unix.so nullok_secure
auth    [success=0 default=ignore]     pam_unix.so debug
$ passwd -d username <blank password>
 
** '''Client'''
$ssh username@server-ip
(Disallow access)
 
** '''log information'''
Jul 14 07:06:42 qemux86 dropbear[421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=yxf
  Jul 14 07:06:44 qemux86 dropbear[421]: pam_authenticate() failed, rc=7, Authentication failure
Jul 14 07:06:44 qemux86 dropbear[421]: bad PAM password attempt for 'yxf' from 192.168.7.1:379
 
=== openssh ===
* Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can support pam function through simple test.
* Test Result
** '''Configuration of sshd'''
auth      include      common-auth
account    required    pam_nologin.so
account    include      common-account
password   include      common-password
session    optional    pam_keyinit.so force revoke
session    include      common-session
session    required    pam_loginuid.so
** '''auth include common-auth --Server'''
$echo 'UsePAM no' >>/etc/ssh/sshd_config
$vi /etc/ssh/sshd_config
  PermitEmptyPasswords yes
 
Other is as same as sudo
** '''log information'''
Jul 12 11:16:21 qemux86 sshd[650]: pam_unix(sshd:session): session opened for user test by (uid=0)
 
 
** '''account required pam_nologin.so --Server'''
$touch /etc/nologin
 
** '''Client'''
$ssh username@server-ip
(Disallow accession)
** '''log information --Server'''
Jul 13 01:43:48 qemux86 sshd[672]: Accepted keyboard-interactive/pam for yxf from 192.168.7.1 port 59877 ssh2
Jul 13 01:43:48 qemux86 sshd[672]: fatal: PAM: pam_setcred(): Failure setting user credentia
 
** '''account include common-account --Server'''
$vi /etc/ssh/sshd_config
  PermitEmptyPasswords no
$vi /etc/pam.d/common-account
  #account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
  account [success=0 new_authtok_reqd=done default=ignore]        pam_unix.so
** '''Client'''
$ssh username@server-ip
(Disallow accession)
** '''log information'''
Jul 13 02:11:24 qemux86 sshd[752]: Failed password for root from 192.168.7.1 port 53784 ssh2
 
** '''password include common-password'''
$vi /etc/pam.d/common-password
  password        [success=1 default=ignore]      pam_unix.so obscure sha512
 
It's no use for sshd, So no test result for this item
 
** '''session optional  pam_keyinit.so force revoke --Server'''
No action
** '''Client'''
$ssh username@server-ip
** '''log information'''
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): OPEN 1
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0]  GID:1000 [0]
  Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): JOIN = 236576375
** '''Client'''( the same session as the above "client"   )
$exit
** '''log information'''
  Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): CLOSE 1,236576375,1
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): REVOKE 236576375
  Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0]  GID:1000 [0]
 
** '''session include common-session --Server'''
$vi /etc/pam.d/common-session
  #session [default=1] pam_permit.so
  session [default=0] pam_permit.so
** '''Client'''
$ssh username@server-ip
(Disallow accession)
** '''log information'''
Jul 13 05:53:35 qemux86 sshd[960]: error: PAM: pam_open_session(): Permission denied
Jul 13 05:53:35 qemux86 sshd[960]: Received disconnect from 192.168.7.1: 11: disconnected by user
** ''' session required  pam_loginuid.so --Server'''(Record user´s login uid to the process attribute)
  No action
** '''Client'''
$ssh username@server-ip
** '''log information'''
Jul 13 06:31:32 qemux86 sshd[1028]: pam_warn(sshd:session): function=[pam_sm_open_session] service=[sshd] terminal=[ssh] user=[yxf] ruser= [<unknown>] rhost=[ubuntuwindriver.local]
  Jul 13 06:31:32 qemux86 sshd[1028]: pam_unix(sshd:session): session opened for user yxf by (uid=0)
 
=== polkit ===
Polkit includes four binaries. Only pkexec depends on pam. So I use pkexec to make pam test.
Pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.
 
* '''Pam configuration file of polkit '''
%PAM-1.0
auth      include      common-auth
account    include      common-account
password  include      common-password
session    include      common-session
* '''Test Reult'''
** '''Normally pkexec can call pam modules from the above configuration file'''
$ pkexec cat /var/log/auth.log
  ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
  Authentication is needed to run `/bin/cat' as the super user
  Authenticating as: root
  Password: <---Input root password and press key "Enter"
   
   
  SRC_URI = "${DEBIAN_MIRROR}/main/a/at/at_${PV}.orig.tar.gz \
  Jul 14 22:13:18 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.10 [pkexec  cat /var/log/auth.log],
    file://configure.patch \
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
@@ -17,7 +18,8 @@ SRC_URI = "${DEBIAN_MIRROR}/main/a/at/at_${PV}.orig.tar.gz \
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
    file://posixtm.c \
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
    file://posixtm.h \
Jul 14 22:13:21 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.10,
    file://file_replacement_with_gplv2.patch \
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
-   file://S99at"
Jul 14 22:13:21 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 FAILED to authenticate to gain authorization for action
+    file://S99at \
org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
+ file://configure-add-enable-pam.patch"
Jul 14 22:14:37 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.11 [pkexec
cat /var/log/auth.log], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:16:08 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 successfully authenticated as unix-user:root to gain
ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:16:08 emenlow pkexec: pam_unix(polkit-1:session): session opened for user root by root(uid=500)
Jul 14 22:16:08 emenlow pkexec[2507]: yxf: Executing command [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
Jul 14 22:16:08 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.11,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
** '''auth include common-auth'''
$vi /etc/pam.d/common-auth
  #auth    [success=1 default=ignore]      pam_unix.so nullok_secure
  auth   [success=0 default=ignore]      pam_unix.so nullok_secure
 
$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
polkit-agent-helper-1: pam_authenticate failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized
   
   
  SRC_URI[md5sum] = "1e67991776148fb319fd77a2e599a765"
  This incident has been reported.
  SRC_URI[sha256sum] = "7c55c6ab4fbe8add9e68f31b2b0ebf3fe805c9a4e7cfb2623a3d8a4789cc18f3"
 
@@ -26,7 +28,8 @@ EXTRA_OECONF += "ac_cv_path_SENDMAIL=/bin/true \
log information in /var/log/auth.log
                  --with-daemon_username=root \
Jul 14 22:23:24 emenlow pkexec[2515]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
                  --with-daemon_groupname=root \
** '''account include common-account'''
                  --with-jobdir=/var/spool/at/jobs \
$ vi /etc/pam.d/common-account
-                 --with-atspool=/var/spool/at/spool"
#account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
+                --with-atspool=/var/spool/at/spool \
account [success=0 new_authtok_reqd=done default=ignore]        pam_unix.so
+ ${@base_contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} "
 
   
$ pkexec cat /var/log/auth.log
  inherit autotools
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
* consolekit
Authentication is needed to run `/bin/cat' as the super user
* cronie
Authenticating as: root
* cups
Password:
* dropbear
polkit-agent-helper-1: pam_acct_mgmt failed: Permission denied
* gnome-keyring
Error: Permission denied
* libcap
==== AUTHENTICATION FAILED ===
* libuser
Error executing command as another user: Not authorized
* mc
 
* openssh
log information in /var/log/auth.log
* polkit
Jul 14 22:29:12 emenlow pkexec[2523]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
* screen
 
* shadow
** '''password include common-password'''
* sudo
It is no use for polkit. So I don't test it
* util-linux
** '''session include common-session'''
$ vi /etc/pam.d/common-session
#session [default=1]                    pam_permit.so
session [default=0]                     pam_permit.so
 
$ pkexec cat /var/log/auth.log
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password:
==== AUTHENTICATION COMPLETE ===
pam_open_session() failed: Permission denied
 
log information in /var/log/auth.log
Jul 14 22:35:51 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.17,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
 
=== screen ===
screen use pam to authenticate users during unlock terminal. Its configure file screen comes from Fedora and replace system-auth with common-auth
  #%PAM-1.0
  auth      include      common-auth
 
First start screen:
  root@qemux86:/etc/pam.d# screen
it will show some information about screen, just press Space or Enter and it will give a screen terminal:
  root@qemux86:/etc/pam.d#
then press "Ctrl+a x" will lock the screen terminal and show:
   
  Screen used by root <root>.
  Password:
 
In another root terminal, clear the root's password:
  password -d root
 
modify one line in common-auth
  auth [success=1 default=ignore] pam_unix.so nullok_secure
with
  auth [success=1 default=ignore] pam_unix.so debug
option nullok_secure will allow users who has blank password login, after remove it these users are not allowed to login.
 
Back to the screen terminal, press <Enter>(because root's password is blank now) will fail:
  Screen used by root <root>.
  Password:
  Screen used by root <root>.
  Password:
 
then modify the line in common-auth with
  auth [success=1 default=ignore] pam_unix.so nullok_secure debug
 
On the screen terminal press <Enter> again it unlock the terminal.
 
the log in /var/log/auth.log:
  Jul 11 14:14:14 qemux86 screen: pam_unix(screen:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=  user=root
 
=== shadow ===
==== chage ====
/etc/pam.d/chage: replace system-auth with common-password
  #%PAM-1.0
  auth sufficient pam_rootok.so
  account required pam_permit.so
  password include common-auth(common-password)
* test pam_rootok.so
add the only option for pam_rootok.so
  auth sufficient pam_rootok.so debug
 
run command chage as root:
  root@qemux86:/etc/pam.d# chage -m 10 test
 
log info in /var/log/message shows pam_rootok.so return success:
  Jul 12 06:55:18 qemux86 authpriv.debug chage[575]: pam_rootok(chage:auth): root check succeeded
  Jul 12 06:55:18 qemux86 authpriv.info chage[575]: changed password expiry for test
 
* pam_unix.so
The password component of pam_unix.so performs the task of updating the user´s password. And chage changes user password expiry information.
 
No test point.
 
==== chfn ====
/etc/pam.d/chfn
  auth     sufficient pam_rootok.so
  auth      include      common-auth
  account    include      common-account
  session    include      common-session
add option debug to pam_rootok.so
  auth     sufficient pam_rootok.so debug
 
* pam_rootok.so
run command chfn as root:
  root@qemux86:/etc/pam.d# chfn -f testyayay test
 
log info in /var/log/message shows pam_rootok.so return success:
  Jul 12 07:22:59 qemux86 authpriv.debug chfn[638]: pam_rootok(chfn:auth): root check succeeded
  Jul 12 07:22:59 qemux86 authpriv.info chfn[638]: changed user 'test' information
 
* pam_unix.so
the content of common-auth are shown at section "Common configure files"
 
comment the configure file chfn pam_rootok.so line, because it will make pam return success:
 
  #auth sufficient pam_rootok.so
 
and modify the pam_unix.so line in common-auth to remove nullok_secure:
 
  auth [success=1 default=ignore] pam_unix.so debug
 
run commands:
 
  root@qemux86:/etc/pam.d# passwd -d root
  root@qemux86:/etc/pam.d# chfn -f testself test # test is a unprivileged user
  Password:
  chfn: PAM authentication failed
 
log in /var/log/message:
 
  Jul 12 07:53:16 qemux86 authpriv.notice chfn[673]: pam_unix(chfn:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=  user=root
 
==== chgpasswd ====
/etc/pam.d/chgpasswd(need patch)
  #%PAM-1.0
  auth sufficient pam_rootok.so
  account required pam_permit.so
  password include system-auth
 
test pam_rootok.so and pam_unix.so(common-password) refer to test steps in chfn
 
==== chpasswd ====
/etc/pam.d/chpasswd
  password  include      common-password
common-password are listed before, we remove the pam_unix.so option nullok_secure and add audit:
  password [success=1 default=ignore] pam_unix.so  audit
 
commands to test:
  root@qemux86:/etc/pam.d# chpasswd
  test:
  Press Ctrl+d, the follow are terminal output:
  No password supplied
  No password supplied
  No password supplied
  chpasswd: (user test) pam_chauthtok() failed, error:
  Authentication token manipulation error
  chpasswd: (line 1, user test) password not changed
 
syslog info:
  Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:auth): function=[pam_sm_authenticate] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
  Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:account): function=[pam_sm_acct_mgmt] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
  Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
  Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
  Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
  Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
  Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
  Jul 15 04:53:41 qemux86 authpriv.notice chpasswd[844]: pam_unix(chpasswd:chauthtok): new password not acceptable
 
==== chsh ====
/etc/pam.d/chsh
  auth      required    pam_shells.so
  auth      sufficient      pam_rootok.so
  auth      include      common-auth
  account    include      common-account
  session    include      common-session
* pam_shells.so
pam_shells only allows access to the system if the users shell is listed in /etc/shells. It also checks if /etc/shells is a plain file and not world writable.
 
check /etc/shells first:
  qemux86:~$ ls -l /etc/shells
  -rw-r--r--    1 root    root          109 Jul 12 06:05 /etc/shells
  qemux86:~$ cat /etc/shells
  # /etc/shells: valid login shells
  /bin/sh
  /bin/ash
  /bin/bash
  /bin/dash
  /bin/ksh
  /usr/bin/ksh
  /usr/bin/screen
  qemux86:~$
 
login as a unprivileged user, the correct process is:
  qemux86:~$ chsh -s /bin/ash
  Password: <-- Enter password here
  qemux86:~$
 
syslog info:
  Jul 15 06:15:18 qemux86 authpriv.debug chsh[1283]: pam_rootok(chsh:auth): root check failed
  Jul 15 06:15:21 qemux86 authpriv.info chsh[1283]: changed user 'test' shell to '/bin/ash'
 
now remove /bin/ash from /etc/shells, then run the same command:
  qemux86:~$ chsh -s /bin/ash
  Password: <-- Enter password here
  chsh: /bin/ash is an invalid shell.
  qemux86:~$
 
if you make /etc/shells is writable to all people, chsh will fail with syslog info:
  Jul 15 05:38:38 qemux86 authpriv.err chsh[1091]: pam_shells(chsh:auth): /etc/shells is either world writable or not a normal file
 
* pam_rootok.so
modify pam_rootok.so item:
  auth      required    pam_rootok.so debug
 
then unprivileged users can't change their shell.
  qemux86:~$ chsh -s /bin/ash
  Password:
  chsh: PAM authentication failed
  qemux86:~$
 
syslog info:
  Jul 15 06:43:14 qemux86 authpriv.debug chsh[1350]: pam_rootok(chsh:auth): root check failed
 
* pam_unix.so
**pam_unix in common-auth: please refer to sudo tests
**pam_unix in common-account and common-password don't have test point.
 
==== groupadd ====
/etc/pam.d/groupadd:
  #%PAM-1.0
  auth            sufficient      pam_rootok.so
  account        required        pam_permit.so
  password        include        system-auth(common-password)
 
* pam_rootok
please refer to chfn tests
 
*pam_unix.so in common-password doesn't has test point
 
==== groupdel ====
/etc/pam.d/groupdel(need patch)
  #%PAM-1.0
  auth            sufficient      pam_rootok.so
  account        required        pam_permit.so
  password        include        system-auth(common-password)
* pam_rootok
please refer to chfn tests
 
==== groupmems ====
/etc/pam.d/groupmems
  #%PAM-1.0
  auth            sufficient      pam_rootok.so
  account        required        pam_permit.so
  password        include        system-auth(common-password)
 
*pam_rootok:
refer to chfn tests
 
*pam_unix in common-password doesn't has test point
 
==== groupmod ====
/etc/pam.d/groupmod
  #%PAM-1.0
  auth            sufficient      pam_rootok.so
  account        required        pam_permit.so
  password        include        common-password
 
* pam_rootok
refer to chfn tests
 
* pam_unix in common-password
no test point
 
==== login ====
/etc/pam.d/login
  auth      optional    pam_faildelay.so  delay=3000000
  auth      [success=ok ignore=ignore user_unknown=ignore default=die]  pam_securetty.so
  auth      requisite    pam_nologin.so
  session    required    pam_env.so readenv=1
  session    required    pam_env.so readenv=1 envfile=/etc/default/locale
  auth      include      common-auth
  auth      optional    pam_group.so
  session    required    pam_limits.so                                     
  session    optional    pam_lastlog.so                                   
  session    optional    pam_motd.so                             
  session    optional    pam_mail.so standard                   
                                                             
  account    include      common-account                       
  password  include      common-password                     
  session    include      common-session
 
* pam_faildelay
this plugin an be used to set the delay on failure per-application. We increase "delay" to make it more obviously
  auth      optional  pam_faildelay.so  delay=10000000
 
run login as root:
  root@qemux86:~# login
  qemux86 login: ''root''
  Password: ''<-- enter a wrong password here, then will wait for 10 seconds to show next "login:"''
 
  Login incorrect
  qemux86 login:
 
syslog info:
  Jul 17 07:22:17 qemux86 authpriv.notice login[2223]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=  user=root
  Jul 17 07:22:26 qemux86 authpriv.notice login[2223]: FAILED LOGIN (1) on '/dev/pts/2' FOR 'root', Authentication failure
 
* pam_securetty
pam_securetty allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in /etc/securetty.
 
test steps:
  # ssh to yocto linux
  $ ssh root@192.168.7.2
  root@qemux86:~# tty
  /dev/pts/1
  root@qemux86:~# login
  qemux86 login: root
                      <-- don't ask for password, failed directly
  Login incorrect
  qemux86 login:
 
syslog info
  Jul 17 07:52:32 qemux86 authpriv.warn login[2341]: pam_securetty(login:auth): access denied: tty 'pts/1' is not secure !
  Jul 17 07:52:35 qemux86 authpriv.notice login[2341]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'root', Authentication failure
 
Then add "pts/1" to file /etc/securetty, run commonds:
  root@qemux86:~# login
  qemux86 login: ''root''
  Password:
  Last login: Sun Jul 17 07:52:21 UTC 2011 from k-desktop.local on pts/1
  root@qemux86:~#
 
syslog info
  Jul 17 07:56:00 qemux86 authpriv.notice login[2348]: ROOT LOGIN  on '/dev/pts/1'
 
* pam_nologin
pam_nologin prevents non-root users from logging into the system when /etc/nologin exists.
 
test steps
  root@qemux86:~# ls /etc/nologin
  ls: /etc/nologin: No such file or directory
  root@qemux86:~# login
  qemux86 login: test
  Last login: Sun Jul 17 07:19:24 UTC 2011 on pts/2
  qemux86:~$ logout
  root@qemux86:~# touch /etc/nologin
  root@qemux86:~# login
  qemux86 login: test
 
 
  Login incorrect
  qemux86 login:
 
syslog info
  Jul 17 08:08:07 qemux86 authpriv.info login[2366]: pam_unix(login:session): session opened for user test by root(uid=0)
  Jul 17 08:08:08 qemux86 authpriv.info login[2366]: pam_unix(login:session): session closed for user test
  Jul 17 08:08:51 qemux86 authpriv.notice login[2371]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'test', Authentication failure
 
* pam_env
refer to su tests
 
* pam_unix in common-auth
refer to chfn tests
 
* pam_group
pam_group grants group memberships to the user. Its configure file is /etc/security/group.conf.
 
First get your current tty by run
  root@qemux86:/etc/pam.d# tty
  /dev/pts/2
  root@qemux86:/etc/pam.d#
 
then add a item to /etc/security/group.conf
  login; pts/* ;%root;Al0000-2400;'''plugdev,test
'''
after that run commands
  root@qemux86:/etc/pam.d# id
  uid=0(root) gid=0(root) groups=0(root)
  root@qemux86:/etc/pam.d# login
  qemux86 login: root
 
  Password:
  Last login: Mon Jul 18 00:20:47 UTC 2011 on pts/2
  root@qemux86:~# id
  uid=0(root) gid=0(root) groups=0(root),'''46(plugdev),1001(test)'''
  root@qemux86:~#
 
* pam_limits
pam_limits sets limits on the system resources that can be obtained in a user-session.
 
Its default configure file is /etc/security/limits.conf, modify it with
  test        -      maxlogins      1
 
Login unprivileged user "test"
  root@qemux86:/etc/pam.d# login
  qemux86 login: '''test'''
  Last login: Sun Jul 17 08:08:07 UTC 2011 on pts/1
  qemux86:~$ 
And login in another terminal
  root@qemux86:~# login
  qemux86 login: test
  Too many logins for 'test'.
  Last login: Mon Jul 18 01:21:54 UTC 2011 on pts/2
 
  Permission denied
 
syslog info:
  Jul 18 01:39:55 qemux86 authpriv.debug login[2668]: pam_limits(login:session): reading settings from '/etc/security/limits.conf'
  Jul 18 01:39:55 qemux86 authpriv.debug login[2668]: pam_limits(login:session): process_limit: processing - maxlogins 1 for USER
  Jul 18 01:39:55 qemux86 authpriv.debug login[2668]: pam_limits(login:session): checking logins for 'test' (maximum of 1)
  Jul 18 01:39:55 qemux86 authpriv.warn login[2668]: pam_limits(login:session): Too many logins (max 1) for test
  Jul 18 01:39:55 qemux86 authpriv.info login[2668]: pam_unix(login:session): session opened for user test by root(uid=0)
  Jul 18 01:39:55 qemux86 authpriv.err login[2668]: Permission denied
 
* pam_lastlog
pam_lastlog is to display date of last login.
add options to pam_lastlog
  session    optional  pam_lastlog.so debug nodate
 
run commands and you can check that no last login date information shows
  root@qemux86:~# login
  qemux86 login: test
  Last login: on pts/2
  qemux86:~$
 
* pam_motd
pam_motd can be used to display arbitrary motd (message of the day) files after a successful login. By default the /etc/motd file is shown.
 
test steps:
  root@qemux86:~# cat /etc/motd
  root@qemux86:~# echo "Welcome to Yocto" > /etc/motd
  root@qemux86:~# login
  qemux86 login: root
  Password:
  Last login: on pts/1
  '''Welcome to Yocto'''
  root@qemux86:~#
 
* pam_mail
refer to su tests
 
==== newusers ====
/etc/pam.d/newusers
  password  include      common-password
 
*pam_unix
modify the pam_unix item in common-password
  password        [success=1 default=ignore]      pam_unix.so debug
 
run command:
  root@qemux86:~# newusers
  a::::::[Press key Enter]
  [Press Ctrl+d]
  No password supplied
  No password supplied
  No password supplied
  newusers: (user a) pam_chauthtok() failed, error:
  Authentication token manipulation error
  newusers: (line 1, user a) password not changed
 
syslog info:
  Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
  Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
  Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
  Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
  Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
  Jul 15 09:50:17 qemux86 authpriv.notice newusers[1560]: pam_unix(newusers:chauthtok): new password not acceptable
 
==== passwd ====
/etc/pam.d/passwd
  password  include      common-password
 
* pam_unix in common-password
modify the item to make password length not less than 4 characters:
  password        [success=1 default=ignore]      pam_unix.so minlen=4 debug
 
run test commands:
  qemux86:~$ passwd
  Changing password for test.
  (current) UNIX password: <-- input 123 here
  Enter new UNIX password:
  Retype new UNIX password:
  You must choose a longer password
  Enter new UNIX password: <-- input 1234 here
  Retype new UNIX password:
  passwd: password updated successfully
  qemux86:~$
 
syslog doesn't has detail informatiaon
  Jul 17 02:00:39 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
  Jul 17 02:00:41 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
  Jul 17 02:00:49 qemux86 authpriv.notice passwd[1649]: pam_unix(passwd:chauthtok): password changed for test
 
==== su ====
/etc/pam.d/su
  auth      sufficient  pam_rootok.so
  session    required    pam_env.so readenv=1
  session    required    pam_env.so readenv=1 envfile=/etc/default/locale
  session    optional    pam_mail.so nopen
  auth      include      common-auth
  account    include      common-account
  session    include      common-session
 
* pam_rootok
refer to chfn tests
 
* pam_env
option readenv=1 means read configure file pointed by variable envfile, default is /etc/environment
 
We will add a variable named YOCTO to /etc/environment.
First we will check there is no var YOCTO after su
  root@qemux86:~# su test
  test@qemux86:/home/root$ echo $YOCTO
 
  test@qemux86:/home/root$
 
after add YOCTO=yoctolinux to /etc/environment, then test again
  root@qemux86:~# su test
  test@qemux86:/home/root$ echo $YOCTO
  yoctolinux
  test@qemux86:/home/root$
 
* pam_mail
The mailx in Yocto can NOT run correctly, so didn't test it.
Test steps should be as follows.
First remove option nopen which prevents show user mails
  #session    optional  pam_mail.so nopen
  session    optional  pam_mail.so
 
Then mail a user, such as root(run test on Fedora 14)
  [packager@F14 ~]$ mail root
  Subject: ''test''
  ''test''
  EOT
  [packager@F14 ~]$ export LANG=C
  [packager@F14 ~]$ su -
  Password:
  '''You have old mail in folder /var/mail/root.'''
  [root@F14 ~]#
 
* pam_unix in common-auth
refer to chfn tests
 
* pam_unix in common-account/common-session has no test point
 
==== useradd ====
/etc/pam.d/useradd(need patch)
  #%PAM-1.0
  auth            sufficient      pam_rootok.so
  account        required        pam_permit.so
  password        include        system-auth(common-password)
 
* pam_rootok
refer to chfn tests
 
* pam_unix in common-password:
no test point
 
==== userdel ====
/etc/pam.d/userdel(need patch)
  #%PAM-1.0
  auth            sufficient      pam_rootok.so
  account        required        pam_permit.so
  password        include        system-auth(common-password)
 
* pam_rootok
refer to chfn tests
 
* pam_unix in common-password:
no test point
 
==== usermod ====
/etc/pam.d/usermod(need patch)
  #%PAM-1.0
  auth            sufficient      pam_rootok.so
  account        required        pam_permit.so
  password        include        system-auth(common-password)
 
* pam_rootok
refer to chfn tests
 
* pam_unix in common-password
no test point
 
=== sudo ===
*/etc/pam.d/sudo comes from Fedora, and replace system-auth with common-auth
  #%PAM-1.0
  auth      include      common-auth
  account    include      common-account
  password  include      common-password
  session    required    pam_keyinit.so revoke
  session    required    pam_limits.so
and content of common-auth has been show above.
 
*test pam plugins
**pam_unix.so
modify common-auth:
  auth    [success=1 default=ignore]      pam_unix.so debug
then unpriviledge user can NOT run sudo with blank password
  qemux86:~$ sudo rm /test
  Password:
  Sorry, try again.
  Password:
  Sorry, try again.
  Password:
  Sorry, try again.
  sudo: 3 incorrect password attempts
  qemux86:~$ sudo rm /test
  qemux86:~$
 
log in /var/log/auth.log:
  Jul  8 16:39:04 qemux86 sudo: pam_unix(sudo:auth): authentication failure; logname=test-pam uid=0 euid=0 tty=/dev/pts/1 ruser=test-pam rhost=  user=test-pam
  Jul  8 16:39:14 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
  Jul  8 16:39:31 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
  Jul  8 16:39:31 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
 
**pam_deny.so
mv line
  auth    requisite                      pam_deny.so
to the head of file, unprivilege user can NOT sudo any more:
  qemux86:~$ sudo rm /test
  Sorry, try again.
  Sorry, try again.
  Sorry, try again.
  sudo: 3 incorrect password attempts
  qemux86:~$
 
log in /var/log/auth.log:
  Jul  7 14:03:29 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
 
**pam_permit.so
comment this line
  auth    required                        pam_permit.so
 
sudo will fail without ask user to enter password:
  qemux86:~$ sudo rm /test
  Sorry, try again.
  Sorry, try again.
  Sorry, try again.
  sudo: 3 incorrect password attempts
  qemux86:~$
 
log in /var/log/auth.log:
  Jul  7 12:43:22 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm -f /test
 
**pam_limits.so
add line to /etc/security/limits.conf
  *        -      nofile      3
then sudo will fail:
  qemux86:~$ sudo rm /test
  Inconsistency detected by ld.so: dl-deps.c: 622: _dl_map_object_deps: Assertion `nlist > 1' failed!
 
modify the line:
  *        -      nofile      4
  qemux86:~$ sudo rm /test
  qemux86:~$
 
log in /var/log/auth.log:
  Jul  8 14:24:41 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
  Jul  8 14:24:41 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
  Jul  8 14:24:41 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
  Jul  8 14:24:41 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 3 for DEFAULT
  Jul  8 14:24:50 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
  Jul  8 14:24:50 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
  Jul  8 14:24:50 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 4 for DEFAULT
 
** pam_keyinit
add option debug
  session    optional    pam_keyinit.so revoke debug
 
log shows pam_keyinit was called:
  Jul  7 14:13:39 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
  Jul  7 14:13:39 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
  Jul  7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): OPEN 1
  Jul  7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): UID:0 [0]  GID:0 [1000]
  Jul  7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 143761918
  Jul  7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 669161571
 
according the source code pam_keyinit.c line 102 in function init_keyrings, the module return PAM_SUCCESS
 
== Identify upstream PAM patches to use ==
After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):
* libpam: need update from current 1.1.3 to 1.1.4 [https://www.redhat.com/archives/pam-list/2011-June/msg00013.html Release Notes]
* sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
** /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
  #%PAM-1.0
  auth      include      system-auth
  account    include      system-auth
  password  include      system-auth
  session    optional    pam_keyinit.so revoke
  session    required    pam_limits.so
 
* screen: check Fedora screen.pam
 
* util-linux: check Fedora source file util-linux-remote.pamd
 
* at: check Fedora util-linux-remote.pamd
 
* cups: check Fedora cups-1.1.16-system-auth.patch
 
* openssh: check Fedora sshd.pam
 
== PAM Unit Tests==
We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code. Right now we spit it as a sub-package libpam-xtests. After "bitbake libpam" you can find it under deploy directory. And it requires some packages:
    pam-plugin-debug 
    pam-plugin-access 
    pam-plugin-cracklib
    pam-plugin-time 
    pam-plugin-pwhistory  
    pam-plugin-succeed-if  
 
All test cases are:
    tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
    tst-pam_dispatch4 tst-pam_dispatch5 \
    tst-pam_cracklib1 tst-pam_cracklib2 \
    tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 tst-pam_unix4 \
    tst-pam_access1 tst-pam_access2 tst-pam_access3 \
    tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
    tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
    tst-pam_pwhistory1 tst-pam_time1
 
On build machine after install package libpam-xtests, go to the xtexts directory and run tests
  export ALL_TESTS="tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
    tst-pam_dispatch4 tst-pam_dispatch5 \
    tst-pam_cracklib1 tst-pam_cracklib2 \
    tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 tst-pam_unix4 \
    tst-pam_access1 tst-pam_access2 tst-pam_access3 \
    tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
    tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
    tst-pam_pwhistory1 tst-pam_time1"
  cd /usr/share/Linux-PAM/xtests
  ./run-xtests.sh `pwd` $ALL_TESTS
 
If you want to run sigle test case, just run (take tst-pam_time1 for example)
  ./run-xtests.sh . tst-pam_time1
 
Two unit tests may NOT passed, they need some prerequisite:
* tst-pam_cracklib1
* tst-pam_cracklib2
**need /lib/security/pam_cracklib.so, need build cracklib first, and then libpam will check it and create pam-plugin-cracklib
**need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
  cp /usr/share/cracklib/cracklib-small /tmp
  gzip /tmp/cracklib-small
  create-cracklib-dict /tmp/cracklib-small.gz
 
== Notes ==
 
=== Packages dropped ===
At the beginning we got a list of packages that use pam. After more work, some of them are dropped.
* consolekit provides a pam plugin module pam_ck_connector.so and not the package that use pam. Drop it.
* gnome-keyring can't call configuration file like "/etc/pam.d/gnome-keyring" because it is called by other program like "gnome-screensave" and "gdm". If we want test "pam_gnome_keyring.so", we need write .bb files to cross-compile gnome-screensave or gdm. So drop it.
* util-linux: 3 programs chfn chsh and login in util-linux will use libpam. Right now these programs are provided by package shadow. In util-linux.inc, EXTRA_OECONF has option "--disable-login-utils " which will disable to build them. Drop it.
* mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. [http://www.midnight-commander.org/changeset/4816107a02ccbf6331534113e6ec0c8df84e24eb Official change log]
* libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
* libuser: pam is libuser's build dependency, so remove it too.
* The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
* If you want to use pam_limits in /etc/pam.d/login, you have to add VIRTUAL-RUNTIME_login_manager = "busybox" to your distro config in order to replace tinylogin with busybox, as tinylogin does not provide PAM capabilites; also make sure that "login" and "PAM" are enabled in your busybox config
* gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
* sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.
* xserver: based on following 2 reason drop it.
** the code use pam is old. Add xserver to original list to be pam-enabled by "bzgrep"  tar balls. But in xserver the code to use pam only in os/utils.c function CheckUserAuthorization. No configure mechanism is provided to define macro USE_PAM to make the pam codes enabled. According to the comments, pam authentication only done for setuid servers (uid != euid). Our Xorg is not a setuid server, so we don't need it .
** Xorg in Fedora doesn't support pam. Once I check the xorg-x11-server.spec, and it installs a pam related configure file, so I thought it is pam enabled. But I check the executable file /usr/bin/Xorg , that /usr/bin/Xorg even doesn't link to libpam or libpam_misc. The config file "xserver" is also from Fedora 15,  because it is not supported by Fedora itself we don't have any reason to support the configure file in oe.


Note also:
=== Common configure files ===
When import pam related configure file for each package from Fedora, it may contains "include system-auth". System-auth is the Fedora common configure file and it is autogenerated by command authconfig. It contain all 4 types(auth, account, session, password) rules. But in Yocto these common rules are seperated according pam type, and they are common-auth, common-account, common-session and common-password.


* The busybox box login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
So if configure files from Fedora contains system-auth, we use the seperated common configure files instead.
* gettext has a example file use pam in source code, I think it is just a example and don't need care
* sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam , and it doesn't patched right now. And the package doesn't provide pam related configure option either.
* In xserver-xf86-lite source code subdir os/utils checks #ifdef USE_PAM but there are no configure-time options for PAM.

Latest revision as of 14:07, 15 April 2013

Motivation

For Yocto 1.1 we are working to ensure that PAM (Pluggable Authentication Module) support is consistent and enabled in recipes where it is applicable.

Build image

If you want to enable pam support, please add "pam" to DISTRO_FEATURES by add one line to build/conf/local.conf

 DISTRO_FEATURES_append += " pam"

Then add the packages to sato by apply this patch

 diff --git a/meta/recipes-sato/tasks/task-core-x11-sato.bb b/meta/recipes-sato/tasks/task-core-x11-sato.bb
 index 43b24d2..ea9fa14 100644
 --- a/meta/recipes-sato/tasks/task-core-x11-sato.bb
 +++ b/meta/recipes-sato/tasks/task-core-x11-sato.bb
 @@ -31,4 +31,11 @@ RDEPENDS_task-core-x11-sato = "\
      gtk-sato-engine \
      gthumb \
      x11vnc \
 -    ${NETWORK_MANAGER}"
 +    ${NETWORK_MANAGER} \
 +       \
 +       at \
 +       cronie \
 +       cups \
 +       polkit \
 +       screen \
 +       shadow \
 +       sudo "

openssh is conflict with dropbear. If you want to test openssh please uninstall dropbear first and then install openssh.

Then you can build the core-image-sato and test these packages on the sato image.

Log files

We can test the packages both on core-image-sato and core-image-lsb

  • on sato, edit the /etc/syslog.conf, set
 DESTINATION="file"     

then you can check the log via /var/log/message

  • on lsb, the log information are send to /var/log/auth.log

Common configure files

For convenience, list common configure files here:

common-auth

 auth	[success=1 default=ignore]	pam_unix.so nullok_secure
 auth	requisite			pam_deny.so
 auth	required			pam_permit.so

common-account

 account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so 
 account requisite                       pam_deny.so
 account required                        pam_permit.so

common-password

 password        [success=1 default=ignore]      pam_unix.so obscure sha512
 password        requisite                       pam_deny.so
 password        required                        pam_permit.so

common-session

 session [default=1]                     pam_permit.so
 session requisite                       pam_deny.so
 session required                        pam_permit.so
 session required                        pam_unix.so 

common-session-noninteractive

 session [default=1]                     pam_permit.so
 session requisite                       pam_deny.so
 session required                        pam_permit.so
 session required                        pam_unix.so

Recipes with PAM support

The following recipes are identified to have PAM support:

at

  • Simple ways to verify 'at':
$ at now
$ echo "$msg_to_print" >> /tmp/at_test
$ < ctrl+D >
$ cat /tmp/at_test    # Verify if the message has been there 
  • /etc/pam.d/atd - not installed by default, copy it from source code and replace '@include' with appropriate 'module-type include':
auth       required    pam_env.so
auth       include     common-auth
account    include     common-account
session    include     common-session-noninteractive
session    required    pam_limits.so
  • test pam plugins
    • pam_env.so

modify /etc/pam.d/atd

auth       required    pam_env.so    debug

modify /etc/security/pam_env.conf, add a test entry such as:

MYNAME          DEFAULT="test-at"

log in /var/log/auth.log:

Jul 11 08:41:22 qemux86 atd[678]: pam_env(atd:setcred): pam_putenv("MYNAME=test-at")
    • pam_limits.so

add line to /etc/security/limits.conf

root    -       nofile  3

'at' job failed, log in /var/log/auth.log:

Jul 11 08:49:42 qemux86 atd[699]: pam_env(atd:setcred): Unable to open config file: /etc/security/pam_env.conf: Too many open files

modify the line:

root    -       nofile  4

'at' job successed, log in /var/log/auth.log:

Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session opened for user root by (uid=0)                      
Jul 11 08:59:59 qemux86 atd[738]: pam_unix(atd:session): session closed for user root

cronie

  • /etc/pam.d/crond:
account    required   pam_access.so
account    include    common-password
session    required   pam_loginuid.so
session    include    common-session-noninteractive
auth       include    common-auth
  • test commands:
crontab -e    # establish a crontab jobs and check if it works
crontab -l    # list crontab jobs for current user
  • test pam plugins

Verified, test ways and the logs/results please refer to other packages:

    • pam_env.so
    • pam_access.so
    • pam_unix.so
    • pam_permit.so
    • pam_deny.so
    • pam_loginuid.so
TBD

cups

  • /etc/pam.d/cups
auth	    required	pam_unix.so shadow nodelay
account    required	pam_unix.so
  • Modify /etc/cups/cupsd.conf:
...
- Listen localhost:631
+ Port 631
...
# Restrict access to the server...                               
<Location />                                                     
  Order allow,deny                                               
+ allow all                                                      
</Location>
...
# Restrict access to the admin pages...                          
<Location /admin>                                                
  Order allow,deny                                               
+ allow all                                                      
</Location> 
...
  • Test pam plugins
    • pam_unix.so

Add debug option to '/etc/pam/cups':

auth	    required	pam_unix.so shadow nodelay debug
account    required	pam_unix.so debug

Access the cups configure page via web browser:

http://<qemu.ip>:631

Click 'Administration' -> 'Add Printer', start the pop-window for user authentication, input correct user and password:

user: root
pwd: <correct password>

Entry the 'Add Printer' configure page successed.

Input error password:

user: root
pwd: <error password>

Check log in '/var/log/cups/error_log':

E [14/Jul/2011:02:41:26 +0800] cupsdAuthorize: pam_authenticate() returned 7 (Authentication failure)!

Modify '/etc/shadow':

-root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7:::
+root:$6$yMXdsttU$kT7A.n9bP0w0zzX6Uj1wmypHcq0lSGaC5/4xgNTZRSjNvW0q85ryBz8C6WNCbr22c6RjRKaVhv23ogrmoAo9m.:15168:0:99999:7::1:

Repeat the user authentication steps, check log in '/var/log/cups/error_log':

E [14/Jul/2011:03:05:00 +0800] cupsdAuthorize: pam_acct_mgmt() returned 13 (User account has expired)!

dropbear

  • For supporting pam in dropbear, we need two steps:
  • Add configuration "--enable-pam"
  • Add patches to open macro definition for supporting in option.h
--- a/ptions.h  2011-07-12 11:32:34.165333202 +0800
+++ b/options.h.new     2011-07-12 11:33:25.757332986 +0800
@@ -149,9 +149,9 @@
  * but there's an interface via a PAM module - don't bother using it otherwise.
  * You can't enable both PASSWORD and PAM. */
-#define ENABLE_SVR_PASSWORD_AUTH
+//#define ENABLE_SVR_PASSWORD_AUTH
 /* PAM requires ./configure --enable-pam */
-/*#define ENABLE_SVR_PAM_AUTH*/
+#define ENABLE_SVR_PAM_AUTH
 #define ENABLE_SVR_PUBKEY_AUTH
 /* Wether to ake public key options in authorized_keys file into account */
  • Test result(dropbear only support simple authentication, account and auth)
    • Server(account)
(server ip:192.168.7.2)
$touch /etc/pam.d/sshd
#%PAM-1.0
account  required     pam_access.so
$vi /etc/security/access.conf
- : root : ALL
    • Client
$ssh username@server-ip
(Disallow access)
    • log information
Jul 14 07:01:48 qemux86 dropbear[407]: pam_access(sshd:account): access denied for user `root' from `ssh'
Jul 14 07:01:48 qemux86 dropbear[407]: pam_acct_mgmt() failed, rc=6, Permission denied 
Jul 14 07:01:48 qemux86 dropbear[407]: bad PAM password attempt for 'root' from 192.168.7.1:33633
    • Server(auth)
$vi /etc/pam.d/sshd
 auth include common-auth
$vi /etc/pam.d/common-auth
#auth   [success=1 default=ignore]      pam_unix.so nullok_secure
auth    [success=0 default=ignore]      pam_unix.so debug
$ passwd -d username <blank password>
    • Client
$ssh username@server-ip
(Disallow access)
    • log information
Jul 14 07:06:42 qemux86 dropbear[421]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=  user=yxf
Jul 14 07:06:44 qemux86 dropbear[421]: pam_authenticate() failed, rc=7, Authentication failure 
Jul 14 07:06:44 qemux86 dropbear[421]: bad PAM password attempt for 'yxf' from 192.168.7.1:379

openssh

  • Absent configuration /etc/pam.d/sshd, we need to add patches. After adding this file, it can support pam function through simple test.
  • Test Result
    • Configuration of sshd
auth       include      common-auth
account    required     pam_nologin.so
account    include      common-account
password   include      common-password
session    optional     pam_keyinit.so force revoke
session    include      common-session
session    required     pam_loginuid.so
    • auth include common-auth --Server
$echo 'UsePAM no' >>/etc/ssh/sshd_config
$vi /etc/ssh/sshd_config
 PermitEmptyPasswords yes 
Other is as same as sudo
    • log information
Jul 12 11:16:21 qemux86 sshd[650]: pam_unix(sshd:session): session opened for user test by (uid=0)


    • account required pam_nologin.so --Server
$touch /etc/nologin
    • Client
$ssh username@server-ip
(Disallow accession)
    • log information --Server
Jul 13 01:43:48 qemux86 sshd[672]: Accepted keyboard-interactive/pam for yxf from 192.168.7.1 port 59877 ssh2
Jul 13 01:43:48 qemux86 sshd[672]: fatal: PAM: pam_setcred(): Failure setting user credentia
    • account include common-account --Server
$vi /etc/ssh/sshd_config
 PermitEmptyPasswords no
$vi /etc/pam.d/common-account 
 #account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
 account [success=0 new_authtok_reqd=done default=ignore]        pam_unix.so
    • Client
$ssh username@server-ip
(Disallow accession)
    • log information
Jul 13 02:11:24 qemux86 sshd[752]: Failed password for root from 192.168.7.1 port 53784 ssh2
    • password include common-password
$vi /etc/pam.d/common-password
 password        [success=1 default=ignore]      pam_unix.so obscure sha512 
It's no use for sshd, So no test result for this item
    • session optional pam_keyinit.so force revoke --Server
No action
    • Client
$ssh username@server-ip
    • log information
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): OPEN 1
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0]  GID:1000 [0]
Jul 13 07:28:18 qemux86 sshd[1132]: pam_keyinit(sshd:session): JOIN = 236576375
    • Client( the same session as the above "client" )
$exit
    • log information
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): CLOSE 1,236576375,1
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): REVOKE 236576375
Jul 13 07:34:47 qemux86 sshd[1132]: pam_keyinit(sshd:session): UID:1000 [0]  GID:1000 [0]
    • session include common-session --Server
$vi /etc/pam.d/common-session
 #session [default=1] pam_permit.so
 session [default=0] pam_permit.so
    • Client
$ssh username@server-ip
(Disallow accession)
    • log information
Jul 13 05:53:35 qemux86 sshd[960]: error: PAM: pam_open_session(): Permission denied
Jul 13 05:53:35 qemux86 sshd[960]: Received disconnect from 192.168.7.1: 11: disconnected by user
    • session required pam_loginuid.so --Server(Record user´s login uid to the process attribute)
No action
    • Client
$ssh username@server-ip
    • log information
Jul 13 06:31:32 qemux86 sshd[1028]: pam_warn(sshd:session): function=[pam_sm_open_session] service=[sshd] terminal=[ssh] user=[yxf] ruser= [<unknown>] rhost=[ubuntuwindriver.local] 
Jul 13 06:31:32 qemux86 sshd[1028]: pam_unix(sshd:session): session opened for user yxf by (uid=0)

polkit

Polkit includes four binaries. Only pkexec depends on pam. So I use pkexec to make pam test. Pkexec allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.

  • Pam configuration file of polkit
%PAM-1.0
auth       include      common-auth
account    include      common-account
password   include      common-password
session    include      common-session
  • Test Reult
    • Normally pkexec can call pam modules from the above configuration file
$ pkexec cat /var/log/auth.log 
 ==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
 Authentication is needed to run `/bin/cat' as the super user
 Authenticating as: root
 Password: <---Input root password and press key "Enter"

Jul 14 22:13:18 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.10 [pkexec  cat /var/log/auth.log], 
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:18 emenlow polkit-agent-helper-1[2501]: PAM pam_parse: expecting non-zero; [... default=ignore]
Jul 14 22:13:21 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.10,
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
Jul 14 22:13:21 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 FAILED to authenticate to gain authorization for action
org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:14:37 emenlow polkitd(authority=local): Registered Authentication Agent for unix-process:2466:778527 (system bus name :1.11 [pkexec 
cat /var/log/auth.log], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
Jul 14 22:16:08 emenlow polkitd(authority=local): Operator of unix-process:2466:778527 successfully authenticated as unix-user:root to gain 
ONE-SHOT authorization for action org.freedesktop.policykit.exec for unix-process:2466:778527 [sh] (owned by unix-user:yxf)
Jul 14 22:16:08 emenlow pkexec: pam_unix(polkit-1:session): session opened for user root by root(uid=500)
Jul 14 22:16:08 emenlow pkexec[2507]: yxf: Executing command [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
Jul 14 22:16:08 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.11, 
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
    • auth include common-auth
$vi /etc/pam.d/common-auth
 #auth    [success=1 default=ignore]      pam_unix.so nullok_secure
 auth    [success=0 default=ignore]      pam_unix.so nullok_secure
$ pkexec cat /var/log/auth.log 
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password: 
polkit-agent-helper-1: pam_authenticate failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

This incident has been reported.

log information in /var/log/auth.log

Jul 14 22:23:24 emenlow pkexec[2515]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
    • account include common-account
$ vi /etc/pam.d/common-account
#account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account [success=0 new_authtok_reqd=done default=ignore]        pam_unix.so
$ pkexec cat /var/log/auth.log 
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password: 
polkit-agent-helper-1: pam_acct_mgmt failed: Permission denied
Error: Permission denied
==== AUTHENTICATION FAILED ===
Error executing command as another user: Not authorized

log information in /var/log/auth.log

Jul 14 22:29:12 emenlow pkexec[2523]: yxf: Error executing command as another user: Not authorized [USER=root] [TTY=/dev/pts/0] [CWD=/] [COMMAND=/bin/cat /var/log/auth.log]
    • password include common-password
It is no use for polkit. So I don't test it
    • session include common-session
$ vi /etc/pam.d/common-session
#session [default=1]                     pam_permit.so
session [default=0]                     pam_permit.so
$ pkexec cat /var/log/auth.log 
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ===
Authentication is needed to run `/bin/cat' as the super user
Authenticating as: root
Password: 
==== AUTHENTICATION COMPLETE ===
pam_open_session() failed: Permission denied

log information in /var/log/auth.log

Jul 14 22:35:51 emenlow polkitd(authority=local): Unregistered Authentication Agent for unix-process:2466:778527 (system bus name :1.17, 
object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)

screen

screen use pam to authenticate users during unlock terminal. Its configure file screen comes from Fedora and replace system-auth with common-auth

 #%PAM-1.0
 auth       include      common-auth

First start screen:

 root@qemux86:/etc/pam.d# screen

it will show some information about screen, just press Space or Enter and it will give a screen terminal:

 root@qemux86:/etc/pam.d# 

then press "Ctrl+a x" will lock the screen terminal and show:

 Screen used by root <root>.
 Password:

In another root terminal, clear the root's password:

 password -d root

modify one line in common-auth

 auth	[success=1 default=ignore]	pam_unix.so nullok_secure

with

 auth	[success=1 default=ignore]	pam_unix.so debug

option nullok_secure will allow users who has blank password login, after remove it these users are not allowed to login.

Back to the screen terminal, press <Enter>(because root's password is blank now) will fail:

 Screen used by root <root>.
 Password:
 Screen used by root <root>.
 Password:

then modify the line in common-auth with

 auth	[success=1 default=ignore]	pam_unix.so nullok_secure debug

On the screen terminal press <Enter> again it unlock the terminal.

the log in /var/log/auth.log:

 Jul 11 14:14:14 qemux86 screen: pam_unix(screen:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=  user=root

shadow

chage

/etc/pam.d/chage: replace system-auth with common-password

 #%PAM-1.0
 auth		sufficient	pam_rootok.so
 account	required	pam_permit.so
 password	include		common-auth(common-password)
  • test pam_rootok.so

add the only option for pam_rootok.so

 auth		sufficient	pam_rootok.so debug

run command chage as root:

 root@qemux86:/etc/pam.d# chage -m 10  test

log info in /var/log/message shows pam_rootok.so return success:

 Jul 12 06:55:18 qemux86 authpriv.debug chage[575]: pam_rootok(chage:auth): root check succeeded
 Jul 12 06:55:18 qemux86 authpriv.info chage[575]: changed password expiry for test
  • pam_unix.so

The password component of pam_unix.so performs the task of updating the user´s password. And chage changes user password expiry information.

No test point.

chfn

/etc/pam.d/chfn

 auth	    sufficient	pam_rootok.so
 auth       include      common-auth
 account    include      common-account
 session    include      common-session

add option debug to pam_rootok.so

 auth	    sufficient	pam_rootok.so debug
  • pam_rootok.so

run command chfn as root:

 root@qemux86:/etc/pam.d# chfn -f testyayay test

log info in /var/log/message shows pam_rootok.so return success:

 Jul 12 07:22:59 qemux86 authpriv.debug chfn[638]: pam_rootok(chfn:auth): root check succeeded
 Jul 12 07:22:59 qemux86 authpriv.info chfn[638]: changed user 'test' information
  • pam_unix.so

the content of common-auth are shown at section "Common configure files"

comment the configure file chfn pam_rootok.so line, because it will make pam return success:

 #auth		sufficient	pam_rootok.so

and modify the pam_unix.so line in common-auth to remove nullok_secure:

 auth	[success=1 default=ignore]	pam_unix.so debug

run commands:

 root@qemux86:/etc/pam.d# passwd -d root 
 root@qemux86:/etc/pam.d# chfn -f testself test # test is a unprivileged user
 Password: 
 chfn: PAM authentication failed

log in /var/log/message:

 Jul 12 07:53:16 qemux86 authpriv.notice chfn[673]: pam_unix(chfn:auth): authentication failure; logname=root uid=0 euid=0 tty= ruser= rhost=  user=root

chgpasswd

/etc/pam.d/chgpasswd(need patch)

 #%PAM-1.0
 auth		sufficient	pam_rootok.so
 account	required	pam_permit.so
 password	include		system-auth

test pam_rootok.so and pam_unix.so(common-password) refer to test steps in chfn

chpasswd

/etc/pam.d/chpasswd

 password   include      common-password

common-password are listed before, we remove the pam_unix.so option nullok_secure and add audit:

 password	[success=1 default=ignore]	pam_unix.so  audit

commands to test:

 root@qemux86:/etc/pam.d# chpasswd
 test:
 Press Ctrl+d, the follow are terminal output:
 No password supplied
 No password supplied
 No password supplied
 chpasswd: (user test) pam_chauthtok() failed, error:
 Authentication token manipulation error
 chpasswd: (line 1, user test) password not changed

syslog info:

 Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:auth): function=[pam_sm_authenticate] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
 Jul 15 04:53:39 qemux86 authpriv.notice chpasswd[844]: pam_warn(chpasswd:account): function=[pam_sm_acct_mgmt] service=[chpasswd] terminal=[<unknown>] user=[root] ruser=[<unknown>] rhost=[<unknown>]
 Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
 Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): username [test] obtained
 Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
 Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
 Jul 15 04:53:41 qemux86 authpriv.debug chpasswd[844]: pam_unix(chpasswd:chauthtok): bad authentication token
 Jul 15 04:53:41 qemux86 authpriv.notice chpasswd[844]: pam_unix(chpasswd:chauthtok): new password not acceptable

chsh

/etc/pam.d/chsh

 auth       required     pam_shells.so
 auth       sufficient      pam_rootok.so
 auth       include      common-auth
 account    include      common-account
 session    include      common-session
  • pam_shells.so

pam_shells only allows access to the system if the users shell is listed in /etc/shells. It also checks if /etc/shells is a plain file and not world writable.

check /etc/shells first:

 qemux86:~$ ls -l /etc/shells 
 -rw-r--r--    1 root     root           109 Jul 12 06:05 /etc/shells
 qemux86:~$ cat /etc/shells
 # /etc/shells: valid login shells
 /bin/sh
 /bin/ash
 /bin/bash
 /bin/dash
 /bin/ksh
 /usr/bin/ksh
 /usr/bin/screen
 qemux86:~$ 

login as a unprivileged user, the correct process is:

 qemux86:~$ chsh -s /bin/ash
 Password: <-- Enter password here
 qemux86:~$ 

syslog info:

 Jul 15 06:15:18 qemux86 authpriv.debug chsh[1283]: pam_rootok(chsh:auth): root check failed
 Jul 15 06:15:21 qemux86 authpriv.info chsh[1283]: changed user 'test' shell to '/bin/ash'

now remove /bin/ash from /etc/shells, then run the same command:

 qemux86:~$ chsh -s /bin/ash
 Password: <-- Enter password here
 chsh: /bin/ash is an invalid shell.
 qemux86:~$ 

if you make /etc/shells is writable to all people, chsh will fail with syslog info:

 Jul 15 05:38:38 qemux86 authpriv.err chsh[1091]: pam_shells(chsh:auth): /etc/shells is either world writable or not a normal file
  • pam_rootok.so

modify pam_rootok.so item:

 auth       required     pam_rootok.so debug

then unprivileged users can't change their shell.

 qemux86:~$ chsh -s /bin/ash
 Password: 
 chsh: PAM authentication failed
 qemux86:~$ 

syslog info:

 Jul 15 06:43:14 qemux86 authpriv.debug chsh[1350]: pam_rootok(chsh:auth): root check failed
  • pam_unix.so
    • pam_unix in common-auth: please refer to sudo tests
    • pam_unix in common-account and common-password don't have test point.

groupadd

/etc/pam.d/groupadd:

 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 account         required        pam_permit.so
 password        include         system-auth(common-password)
  • pam_rootok

please refer to chfn tests

  • pam_unix.so in common-password doesn't has test point

groupdel

/etc/pam.d/groupdel(need patch)

 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 account         required        pam_permit.so
 password        include         system-auth(common-password)
  • pam_rootok

please refer to chfn tests

groupmems

/etc/pam.d/groupmems

 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 account         required        pam_permit.so
 password        include         system-auth(common-password)
  • pam_rootok:

refer to chfn tests

  • pam_unix in common-password doesn't has test point

groupmod

/etc/pam.d/groupmod

 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 account         required        pam_permit.so
 password        include         common-password
  • pam_rootok

refer to chfn tests

  • pam_unix in common-password

no test point

login

/etc/pam.d/login

 auth       optional     pam_faildelay.so  delay=3000000
 auth       [success=ok ignore=ignore user_unknown=ignore default=die]  pam_securetty.so
 auth       requisite    pam_nologin.so
 session    required     pam_env.so readenv=1
 session    required     pam_env.so readenv=1 envfile=/etc/default/locale
 auth       include      common-auth
 auth       optional     pam_group.so
 session    required     pam_limits.so                                      
 session    optional     pam_lastlog.so                                     
 session    optional     pam_motd.so                              
 session    optional     pam_mail.so standard                    
                                                             
 account    include      common-account                        
 password   include      common-password                       
 session    include      common-session
  • pam_faildelay

this plugin an be used to set the delay on failure per-application. We increase "delay" to make it more obviously

 auth       optional   pam_faildelay.so  delay=10000000

run login as root:

 root@qemux86:~# login
 qemux86 login: root
 Password: <-- enter a wrong password here, then will wait for 10 seconds to show next "login:"
 
 Login incorrect
 qemux86 login: 

syslog info:

 Jul 17 07:22:17 qemux86 authpriv.notice login[2223]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=  user=root
 Jul 17 07:22:26 qemux86 authpriv.notice login[2223]: FAILED LOGIN (1) on '/dev/pts/2' FOR 'root', Authentication failure
  • pam_securetty

pam_securetty allows root logins only if the user is logging in on a "secure" tty, as defined by the listing in /etc/securetty.

test steps:

 # ssh to yocto linux
 $ ssh root@192.168.7.2
 root@qemux86:~# tty 
 /dev/pts/1
 root@qemux86:~# login
 qemux86 login: root
                     <-- don't ask for password, failed directly 
 Login incorrect
 qemux86 login: 

syslog info

 Jul 17 07:52:32 qemux86 authpriv.warn login[2341]: pam_securetty(login:auth): access denied: tty 'pts/1' is not secure !
 Jul 17 07:52:35 qemux86 authpriv.notice login[2341]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'root', Authentication failure

Then add "pts/1" to file /etc/securetty, run commonds:

 root@qemux86:~# login
 qemux86 login: root
 Password: 
 Last login: Sun Jul 17 07:52:21 UTC 2011 from k-desktop.local on pts/1
 root@qemux86:~# 

syslog info

 Jul 17 07:56:00 qemux86 authpriv.notice login[2348]: ROOT LOGIN  on '/dev/pts/1'
  • pam_nologin

pam_nologin prevents non-root users from logging into the system when /etc/nologin exists.

test steps

 root@qemux86:~# ls /etc/nologin
 ls: /etc/nologin: No such file or directory
 root@qemux86:~# login
 qemux86 login: test
 Last login: Sun Jul 17 07:19:24 UTC 2011 on pts/2
 qemux86:~$ logout
 root@qemux86:~# touch /etc/nologin
 root@qemux86:~# login
 qemux86 login: test
 
 
 Login incorrect
 qemux86 login: 

syslog info

 Jul 17 08:08:07 qemux86 authpriv.info login[2366]: pam_unix(login:session): session opened for user test by root(uid=0)
 Jul 17 08:08:08 qemux86 authpriv.info login[2366]: pam_unix(login:session): session closed for user test
 Jul 17 08:08:51 qemux86 authpriv.notice login[2371]: FAILED LOGIN (1) on '/dev/pts/1' FOR 'test', Authentication failure
  • pam_env

refer to su tests

  • pam_unix in common-auth

refer to chfn tests

  • pam_group

pam_group grants group memberships to the user. Its configure file is /etc/security/group.conf.

First get your current tty by run

 root@qemux86:/etc/pam.d# tty
 /dev/pts/2
 root@qemux86:/etc/pam.d# 

then add a item to /etc/security/group.conf

 login; pts/* ;%root;Al0000-2400;plugdev,test 

after that run commands

 root@qemux86:/etc/pam.d# id
 uid=0(root) gid=0(root) groups=0(root)
 root@qemux86:/etc/pam.d# login
 qemux86 login: root
 
 Password: 
 Last login: Mon Jul 18 00:20:47 UTC 2011 on pts/2
 root@qemux86:~# id
 uid=0(root) gid=0(root) groups=0(root),46(plugdev),1001(test)
 root@qemux86:~#
  • pam_limits

pam_limits sets limits on the system resources that can be obtained in a user-session.

Its default configure file is /etc/security/limits.conf, modify it with

 test        -       maxlogins       1

Login unprivileged user "test"

 root@qemux86:/etc/pam.d# login
 qemux86 login: test
 Last login: Sun Jul 17 08:08:07 UTC 2011 on pts/1
 qemux86:~$  

And login in another terminal

 root@qemux86:~# login
 qemux86 login: test
 Too many logins for 'test'.
 Last login: Mon Jul 18 01:21:54 UTC 2011 on pts/2
 
 Permission denied

syslog info:

 Jul 18 01:39:55 qemux86 authpriv.debug login[2668]: pam_limits(login:session): reading settings from '/etc/security/limits.conf'
 Jul 18 01:39:55 qemux86 authpriv.debug login[2668]: pam_limits(login:session): process_limit: processing - maxlogins 1 for USER
 Jul 18 01:39:55 qemux86 authpriv.debug login[2668]: pam_limits(login:session): checking logins for 'test' (maximum of 1)
 Jul 18 01:39:55 qemux86 authpriv.warn login[2668]: pam_limits(login:session): Too many logins (max 1) for test
 Jul 18 01:39:55 qemux86 authpriv.info login[2668]: pam_unix(login:session): session opened for user test by root(uid=0)
 Jul 18 01:39:55 qemux86 authpriv.err login[2668]: Permission denied
  • pam_lastlog

pam_lastlog is to display date of last login. add options to pam_lastlog

 session    optional   pam_lastlog.so debug nodate

run commands and you can check that no last login date information shows

 root@qemux86:~# login
 qemux86 login: test
 Last login: on pts/2
 qemux86:~$
  • pam_motd

pam_motd can be used to display arbitrary motd (message of the day) files after a successful login. By default the /etc/motd file is shown.

test steps:

 root@qemux86:~# cat /etc/motd
 root@qemux86:~# echo "Welcome to Yocto" > /etc/motd
 root@qemux86:~# login
 qemux86 login: root
 Password: 
 Last login: on pts/1
 Welcome to Yocto
 root@qemux86:~#
  • pam_mail

refer to su tests

newusers

/etc/pam.d/newusers

 password   include      common-password
  • pam_unix

modify the pam_unix item in common-password

 password        [success=1 default=ignore]      pam_unix.so debug 

run command:

 root@qemux86:~# newusers
 a::::::[Press key Enter]
 [Press Ctrl+d]
 No password supplied
 No password supplied
 No password supplied
 newusers: (user a) pam_chauthtok() failed, error:
 Authentication token manipulation error
 newusers: (line 1, user a) password not changed

syslog info:

 Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
 Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): username [a] obtained
 Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
 Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
 Jul 15 09:50:17 qemux86 authpriv.debug newusers[1560]: pam_unix(newusers:chauthtok): bad authentication token
 Jul 15 09:50:17 qemux86 authpriv.notice newusers[1560]: pam_unix(newusers:chauthtok): new password not acceptable

passwd

/etc/pam.d/passwd

 password   include      common-password
  • pam_unix in common-password

modify the item to make password length not less than 4 characters:

 password        [success=1 default=ignore]      pam_unix.so minlen=4 debug

run test commands:

 qemux86:~$ passwd
 Changing password for test.
 (current) UNIX password: <-- input 123 here
 Enter new UNIX password: 
 Retype new UNIX password: 
 You must choose a longer password
 Enter new UNIX password: <-- input 1234 here
 Retype new UNIX password: 
 passwd: password updated successfully
 qemux86:~$ 

syslog doesn't has detail informatiaon

 Jul 17 02:00:39 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
 Jul 17 02:00:41 qemux86 authpriv.debug passwd[1649]: pam_unix(passwd:chauthtok): username [test] obtained
 Jul 17 02:00:49 qemux86 authpriv.notice passwd[1649]: pam_unix(passwd:chauthtok): password changed for test

su

/etc/pam.d/su

 auth       sufficient   pam_rootok.so
 session    required     pam_env.so readenv=1
 session    required     pam_env.so readenv=1 envfile=/etc/default/locale
 session    optional     pam_mail.so nopen
 auth       include      common-auth
 account    include      common-account
 session    include      common-session
  • pam_rootok

refer to chfn tests

  • pam_env

option readenv=1 means read configure file pointed by variable envfile, default is /etc/environment

We will add a variable named YOCTO to /etc/environment. First we will check there is no var YOCTO after su

 root@qemux86:~# su test
 test@qemux86:/home/root$ echo $YOCTO
 test@qemux86:/home/root$ 

after add YOCTO=yoctolinux to /etc/environment, then test again

 root@qemux86:~# su test
 test@qemux86:/home/root$ echo $YOCTO
 yoctolinux
 test@qemux86:/home/root$ 
  • pam_mail

The mailx in Yocto can NOT run correctly, so didn't test it. Test steps should be as follows. First remove option nopen which prevents show user mails

 #session    optional   pam_mail.so nopen
 session    optional   pam_mail.so 

Then mail a user, such as root(run test on Fedora 14)

 [packager@F14 ~]$ mail root
 Subject: test
 test
 EOT
 [packager@F14 ~]$ export LANG=C
 [packager@F14 ~]$ su -
 Password: 
 You have old mail in folder /var/mail/root.
 [root@F14 ~]#
  • pam_unix in common-auth

refer to chfn tests

  • pam_unix in common-account/common-session has no test point

useradd

/etc/pam.d/useradd(need patch)

 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 account         required        pam_permit.so
 password        include         system-auth(common-password)
  • pam_rootok

refer to chfn tests

  • pam_unix in common-password:

no test point

userdel

/etc/pam.d/userdel(need patch)

 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 account         required        pam_permit.so
 password        include         system-auth(common-password)
  • pam_rootok

refer to chfn tests

  • pam_unix in common-password:

no test point

usermod

/etc/pam.d/usermod(need patch)

 #%PAM-1.0
 auth            sufficient      pam_rootok.so
 account         required        pam_permit.so
 password        include         system-auth(common-password)
  • pam_rootok

refer to chfn tests

  • pam_unix in common-password

no test point

sudo

  • /etc/pam.d/sudo comes from Fedora, and replace system-auth with common-auth
 #%PAM-1.0
 auth       include      common-auth
 account    include      common-account
 password   include      common-password
 session    required     pam_keyinit.so revoke
 session    required     pam_limits.so

and content of common-auth has been show above.

  • test pam plugins
    • pam_unix.so

modify common-auth:

 auth    [success=1 default=ignore]      pam_unix.so debug

then unpriviledge user can NOT run sudo with blank password

 qemux86:~$ sudo rm /test
 Password:
 Sorry, try again.
 Password:
 Sorry, try again.
 Password:
 Sorry, try again.
 sudo: 3 incorrect password attempts
 qemux86:~$ sudo rm /test
 qemux86:~$

log in /var/log/auth.log:

 Jul  8 16:39:04 qemux86 sudo: pam_unix(sudo:auth): authentication failure; logname=test-pam uid=0 euid=0 tty=/dev/pts/1 ruser=test-pam rhost=  user=test-pam
 Jul  8 16:39:14 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
 Jul  8 16:39:31 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
 Jul  8 16:39:31 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
    • pam_deny.so

mv line

 auth    requisite                       pam_deny.so

to the head of file, unprivilege user can NOT sudo any more:

 qemux86:~$ sudo rm /test
 Sorry, try again.
 Sorry, try again.
 Sorry, try again.
 sudo: 3 incorrect password attempts
 qemux86:~$

log in /var/log/auth.log:

 Jul  7 14:03:29 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
    • pam_permit.so

comment this line

 auth    required                        pam_permit.so

sudo will fail without ask user to enter password:

 qemux86:~$ sudo rm /test
 Sorry, try again.
 Sorry, try again.
 Sorry, try again.
 sudo: 3 incorrect password attempts
 qemux86:~$

log in /var/log/auth.log:

 Jul  7 12:43:22 qemux86 sudo: test-pam : 3 incorrect password attempts ; TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm -f /test
    • pam_limits.so

add line to /etc/security/limits.conf

 *        -       nofile       3

then sudo will fail:

 qemux86:~$ sudo rm /test
 Inconsistency detected by ld.so: dl-deps.c: 622: _dl_map_object_deps: Assertion `nlist > 1' failed!

modify the line:

 *        -       nofile       4
 qemux86:~$ sudo rm /test
 qemux86:~$

log in /var/log/auth.log:

 Jul  8 14:24:41 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
 Jul  8 14:24:41 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
 Jul  8 14:24:41 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
 Jul  8 14:24:41 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 3 for DEFAULT
 Jul  8 14:24:50 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
 Jul  8 14:24:50 qemux86 sudo: pam_limits(sudo:session): reading settings from '/etc/security/limits.conf'
 Jul  8 14:24:50 qemux86 sudo: pam_limits(sudo:session): process_limit: processing - nofile 4 for DEFAULT
    • pam_keyinit

add option debug

 session    optional     pam_keyinit.so revoke debug

log shows pam_keyinit was called:

 Jul  7 14:13:39 qemux86 sudo: pam_warn(sudo:account): function=[pam_sm_acct_mgmt] service=[sudo] terminal=[/dev/pts/1] user=[test-pam] ruser=[test-pam] rhost=[<unknown>]
 Jul  7 14:13:39 qemux86 sudo: test-pam : TTY=pts/1 ; PWD=/home/test-pam ; USER=root ; COMMAND=/bin/rm /test
 Jul  7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): OPEN 1
 Jul  7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): UID:0 [0]  GID:0 [1000]
 Jul  7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 143761918
 Jul  7 14:13:39 qemux86 sudo: pam_keyinit(sudo:session): GET SESSION = 669161571

according the source code pam_keyinit.c line 102 in function init_keyrings, the module return PAM_SUCCESS

Identify upstream PAM patches to use

After checking the Fedora develop repository, the following packages may need patches(only libpam need to upgrade, other patches are pam related configure file but they are absent in poky):

  • libpam: need update from current 1.1.3 to 1.1.4 Release Notes
  • sudo: package sudo in Fedora provides /etc/pam.d/sudo and /etc/pam.d/sudo-i
    • /etc/pam.d/sudo (Yocto use common-auth instead of system-auth)
 #%PAM-1.0
 auth       include      system-auth
 account    include      system-auth
 password   include      system-auth
 session    optional     pam_keyinit.so revoke
 session    required     pam_limits.so
  • screen: check Fedora screen.pam
  • util-linux: check Fedora source file util-linux-remote.pamd
  • at: check Fedora util-linux-remote.pamd
  • cups: check Fedora cups-1.1.16-system-auth.patch
  • openssh: check Fedora sshd.pam

PAM Unit Tests

We use unit test cases provided by libpam itself, a subdirectory with name "xtests" under libpam source code. Right now we spit it as a sub-package libpam-xtests. After "bitbake libpam" you can find it under deploy directory. And it requires some packages:

   pam-plugin-debug  
   pam-plugin-access  
   pam-plugin-cracklib 
   pam-plugin-time  
   pam-plugin-pwhistory  
   pam-plugin-succeed-if  

All test cases are:

   tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
   tst-pam_dispatch4 tst-pam_dispatch5 \
   tst-pam_cracklib1 tst-pam_cracklib2 \
   tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 tst-pam_unix4 \
   tst-pam_access1 tst-pam_access2 tst-pam_access3 \
   tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
   tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
   tst-pam_pwhistory1 tst-pam_time1

On build machine after install package libpam-xtests, go to the xtexts directory and run tests

 export ALL_TESTS="tst-pam_dispatch1 tst-pam_dispatch2 tst-pam_dispatch3 \
   tst-pam_dispatch4 tst-pam_dispatch5 \
   tst-pam_cracklib1 tst-pam_cracklib2 \
   tst-pam_unix1 tst-pam_unix2 tst-pam_unix3 tst-pam_unix4 \
   tst-pam_access1 tst-pam_access2 tst-pam_access3 \
   tst-pam_access4 tst-pam_limits1 tst-pam_succeed_if1 \
   tst-pam_group1 tst-pam_authfail tst-pam_authsucceed \
   tst-pam_pwhistory1 tst-pam_time1"
 cd /usr/share/Linux-PAM/xtests
 ./run-xtests.sh `pwd` $ALL_TESTS

If you want to run sigle test case, just run (take tst-pam_time1 for example)

 ./run-xtests.sh . tst-pam_time1

Two unit tests may NOT passed, they need some prerequisite:

  • tst-pam_cracklib1
  • tst-pam_cracklib2
    • need /lib/security/pam_cracklib.so, need build cracklib first, and then libpam will check it and create pam-plugin-cracklib
    • need /usr/share/cracklib/pw_dict.pwd file, please run command on host machine:
 cp /usr/share/cracklib/cracklib-small /tmp
 gzip /tmp/cracklib-small
 create-cracklib-dict /tmp/cracklib-small.gz

Notes

Packages dropped

At the beginning we got a list of packages that use pam. After more work, some of them are dropped.

  • consolekit provides a pam plugin module pam_ck_connector.so and not the package that use pam. Drop it.
  • gnome-keyring can't call configuration file like "/etc/pam.d/gnome-keyring" because it is called by other program like "gnome-screensave" and "gdm". If we want test "pam_gnome_keyring.so", we need write .bb files to cross-compile gnome-screensave or gdm. So drop it.
  • util-linux: 3 programs chfn chsh and login in util-linux will use libpam. Right now these programs are provided by package shadow. In util-linux.inc, EXTRA_OECONF has option "--disable-login-utils " which will disable to build them. Drop it.
  • mc: mc has remove package mcserv and dropped dependency on PAM already, but didn't remove checking security/pam_misc.h. Drop it. Official change log
  • libcap: if pam exists, libcap will create a pam plugin pam_cap.so to add a new front end for the authentication function. Because it is not a application, remove it from list.
  • libuser: pam is libuser's build dependency, so remove it too.
  • The busybox login has a option to use pam, but we use tinylogin's login right now (tinylogin also provides the su command)
  • If you want to use pam_limits in /etc/pam.d/login, you have to add VIRTUAL-RUNTIME_login_manager = "busybox" to your distro config in order to replace tinylogin with busybox, as tinylogin does not provide PAM capabilites; also make sure that "login" and "PAM" are enabled in your busybox config
  • gettext only has a example "hello-c++-kde" use pam under source code directory, and it doen't be compiled and only copied to destination. So omit gettext.
  • sysvinit has a patch contrib/notify-pam-dead.patch for /sbin/init to use pam, but the whole contrib directory didn't take part in compilation. Drop it.
  • xserver: based on following 2 reason drop it.
    • the code use pam is old. Add xserver to original list to be pam-enabled by "bzgrep" tar balls. But in xserver the code to use pam only in os/utils.c function CheckUserAuthorization. No configure mechanism is provided to define macro USE_PAM to make the pam codes enabled. According to the comments, pam authentication only done for setuid servers (uid != euid). Our Xorg is not a setuid server, so we don't need it .
    • Xorg in Fedora doesn't support pam. Once I check the xorg-x11-server.spec, and it installs a pam related configure file, so I thought it is pam enabled. But I check the executable file /usr/bin/Xorg , that /usr/bin/Xorg even doesn't link to libpam or libpam_misc. The config file "xserver" is also from Fedora 15, because it is not supported by Fedora itself we don't have any reason to support the configure file in oe.

Common configure files

When import pam related configure file for each package from Fedora, it may contains "include system-auth". System-auth is the Fedora common configure file and it is autogenerated by command authconfig. It contain all 4 types(auth, account, session, password) rules. But in Yocto these common rules are seperated according pam type, and they are common-auth, common-account, common-session and common-password.

So if configure files from Fedora contains system-auth, we use the seperated common configure files instead.